I forgot to check my calendar. Is it "guess the programing language day" again already? It seems to come around more quickly every year.
–
MawgJul 9 at 15:10

@Mawg I think the presumption was that the question could be asked independent of programming language, for any languages that store their functions as string keys (of which there are more than one)
–
Katana314Jul 9 at 16:33

Perhaps - but wouldn't the point of the question - "what can go wrong with this" - depend upon the language?
–
MawgJul 10 at 6:13

6 Answers
6

At run time, the worst thing that could probably happen is that the method doesn't exist, so you get some sort of run-time error saying ERROR: method: 'switchToFoo' could not be found in context blah blah blah...

I'm not really sure if this type of code could be vulnerable to injection attacks. Where does the value for filter come from?

A bigger problem might be that whatever development tools you're using won't be able to work with this. For example, if you want your IDE to search for all places where switchToFoo is called, it won't be possible to find the ones called by the snippet you show above. Or if you want to refactor switchToFoo to switchToFou, you have to change the method name, and then change the code that passes the value for filter. You will know all about this, but this sort of thing usually trips up developers who are new to the project.

Assuming they did myObject.containsKey(filterMethod), or something similar, though, what would be the drawbacks?
–
mowwwalkerDec 18 '13 at 20:55

1

@mowwwalker I guess, well, some people really, really dislike children. That might be a disadvantage in this case?
–
enderlandDec 18 '13 at 20:56

Am I missing something? The question asks about the problem with composing method name but this answer talks about non-existing method. Would a missing method be a problem in javascript regardless how it is called as long as no existence check?
–
CodismDec 18 '13 at 22:01

The biggest risk is trying to access something that doesn't exist within the array structure. In the worst case, that will crash your application. In the best case, there wouldn't be any perceived operation going on.

If you wrapped that logic with some guard checks to make sure you weren't accessing something that wasn't there, it would be a little bit more robust. You could also consider adding logging for the errant requests that still manage to come in. With log information, you could hunt the problems down after the fact.

It's a form of reflection, which has its uses in dynamically-built applications (like a GUI builder for example) or plugins, but should be a matter of last resort outside those contexts.

In addition to the excellent reasons stated in other answers, it's a sign that your class hierarchy probably needs refactoring. Doing so will most likely make it much easier to reason about all your code. For one refactored example:

If filter is from an external source like a user you have a potential source of unintended errors, possibly a security issue depending on the contents of myobject.

The lookup occurs at runtime so you don't get the typical benefits of type checking (existence, call signature matches function signature, etc)

That being said I do use dispatch tables much like what you have in your example. They are useful in particular instances. The key is understanding what the costs (and risks) are and making sure they don't out weigh the benefits.

Yes, as a remote possibility. He's not really sure about it. I'm damned sure about it which makes the practice unacceptable. Unless you prove that code injection is not possible. Which you can't.
–
gnasher729Jul 10 at 0:42

Meh. Code injection doesn't really constitute a serious vulnerability if either A) the user providing the input is also the user who is at risk of being compromised or B) the user provided the input already has access to the machine. So, abusing reflection in this manner is not necessarily a significant security risk. Hence why the accepted answer asked where the value came from; if it came from the owner of the machine, it's not as much of a risk.
–
BrianJul 10 at 3:57